Saturday, February 6, 2016

The Real Reason Why the V5 Compliance Date Needs to be Postponed

Note: This post builds on the two previous posts, starting with this one.

In my last
two posts, I have been assuming that NERC would support the trade associations' of pushing
back the CIP v5 compliance date three months, to match that of CIP v6 – July 1.
However, I have now heard that they may be opposed to the idea. In fact, I’m
willing to speculate that this may be why the trade associations decided to
petition FERC two days ago – because they weren’t getting anywhere with NERC
itself.

In their
petition, the trades made the argument that the burden of having to comply with
CIP version 5[i]
for just three months, then switch to v6, would be large and would constitute a
significant waste of resources and diversion of attention (rather than have one
version switchover, they would have to conduct two switchovers within three
months. This includes having two sets of processes, two sets of documentation,
two sets of training programs, etc).

However, if
you look at what exactly is involved here, this argument isn’t too compelling.
While there are some significant additions to the requirements in CIP v6, these won’t come into
effect until 2017 through 2019. The only change that will take place on July 1
is removal of the “Identify, Assess and Correct” language from 17 v5
requirements (with some rewriting of the requirements themselves to reflect
this fact). All NERC entities have known this language would be removed for two
years, and I believe all of the NERC regions (and NERC itself) said last year
that, if v6 doesn’t come into effect on April 1, they will still audit the v5
standards with the assumption that entities are not required to comply with the
IAC language. In other words, no entity should have to make any substantial
switchover at all come July 1, since the seven v6 standards will effectively
have been in place since April 1 – not their v5 counterparts.

However,
there is an excellent reason for
moving the CIP v5 compliance date back by three months; that is because there
has been so much uncertainty about the meaning of the v5 requirements and
definitions, and especially about the most fundamental requirements and
definitions – those that tell you what cyber assets are in scope for CIP v5. This
includes (but is certainly not limited to!) a) the word “Programmable” in the Cyber Asset definition; b) the words
“adverse impact on the BES” in the BES Cyber Asset definition; c) the
definition of External Routable Connectivity; and d) the many questions about how virtualized devices
are to be handled, given that CIP v5 is silent on this issue and that the
definition of Cyber Asset seems to exclude any virtual devices. All of these
issues have been the subject of extensive debate and various assurances by NERC
that they would be addressed. Here is a short, and certainly incomplete, synopsis
of those discussions, as told in my posts:

In March 2014, I wrote a post
summarizing what NERC was saying about fixing interpretation problems in
CIP v5. They pointed to two sets of documents that would be coming out:
the RSAWs and the results of the CIP v5 Implementation Study. I won’t go
into details here, but neither of these ended up providing any sort of real
guidance.

In this
post from September 2014, I was quite excited that NERC was starting to
put out guidance in the form of Lessons Learned documents, although I was
skeptical they could address the many interpretation problems in v5 in
time for entities to become fully compliant on April 1, 2016. At the time, I
thought all substantial issues would have to be addressed by NERC before April 1,
2015. Otherwise, entities would never be ready for compliance on April 1,
2016, and the compliance date would need to be pushed back.

In December 2014, I wrote
my first post calling for the compliance date to be moved back 6 to 12
months. My reasons? For one, some big entities weren’t going to receive
their first dollar of CIP v5 compliance funding until 2015, since FERC
hadn’t approved v5 until November 2013, after their 2014 budgets were set
in stone.[ii]
But the biggest reason was that many entities expected NERC to clarify
most of the big interpretation issues (especially those having to do with
scope), and they were waiting for this clarification before fully moving
forward with their CIP v5 programs. I compared this to the two main
characters in Samuel Beckett’s classic play “Waiting for Godot”.
Those two gentlemen spend the whole play waiting for Godot to show up,
despite the fact that they both know he never will.

In February 2015 I wrote
about WECC’s CIP User Group meeting in January. I pointed out that Tobias
Whitney of NERC had said there would be 15 Lessons Learned developed by
April 1, 2015. Unfortunately, this was quite optimistic. In fact, as of
today I believe there are only four finalized Lessons Learned. There have
been a number of Lessons Learned (including one on “Programmable” that I
thought was very good) that have been unceremoniously withdrawn.

In late April, NERC introduced five “Memoranda” that
purported to provide “mandatory” guidance on various issues. Some of that
guidance was actually good, in my opinion, but the idea that NERC staff could
provide mandatory guidance, when there is no provision for that in the
Rules of Procedure, was received very badly in the NERC community. NERC
withdrew all of the Memoranda in early July, and since then has issued
some Lessons Learned that, while quite good, only discuss different
compliance approaches – they don’t choose which is the best among them.

At the December 2015 CIPC meeting, and again in a webinar
in January, Tobias Whitney admitted that some important issues – including
the four mentioned above – were being turned over to the standards
drafting process. This is certainly the right way to address these issues;
it would also be nice if this process had been started two years ago (as I was advocating at the time. I was given a flat "no" by Steve Noess of NERC when I asked this question at the Dec. 2013 CIPC meeting). It
will take a bare minimum of 3-4 years for these changes to be developed and
balloted (multiple times), approved by NERC and FERC, and come into
effect (the SDT started developing CIP v5 in early 2011. It's now coming into effect mid 2016, 5 1/2 years later). What happens until then? It is up to the entities to determine how
to deal with the various ambiguities, a process I call “roll your own”. I
have discussed it in a number of posts, starting with this
one.

As you can
see, the entities have been whipsawed back and forth on these issues. Of course,
none of this is to say that they aren’t ultimately responsible for their state
of compliance, which they are. But I truly believe that a three-month reprieve
in v5 compliance would be a godsend for many NERC entities, since as it stands
now, after April 1 many of them might have to spend as much time writing
self-reports as they do strengthening their CIP v5 compliance posture. It may
be justice that they not get a reprieve, but I suggest that “tempering justice
with mercy”[iii] is the
appropriate course.

PS: I have
heard that pushing the compliance date back may play havoc with the regional
audit schedules, since audits scheduled for April through June will have to be
somehow fit in at a later date (and the schedules are made up years in advance).
I understand this problem, and hope it can be addressed in some way.

The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.

[i]
Specifically, standards CIP-003-5, CIP-004-5, CIP-006-5, CIP-007-5, CIP-009-5,
CIP-010-1 and CIP-011-1. If CIP v6 had come into effect on April 1, these would
have been superseded by their v6 counterparts and therefore been stillborn. As it
stands now, they will live on for three months in a kind of limbo state – the living
dead, you might say.

[ii]
Of course, I’m sure there were many entities whose CFO’s were able to look
beyond the fact that CIP v5 hadn’t been officially approved and still put v5 money in the 2014 budget, given that there
was little doubt v5 would be approved. However, there were also some entities that weren’t so
fortunate.

[iii]
While I don’t think he invented it, this phrase was used
by the famous Chicago lawyer Clarence Darrow in his plea for mercy at
the trial of Leopold
and Loeb – who were on trial for a crime much more serious than violating
NERC CIP!